Fortinet has patched a severe flaw in FortiWeb, identified as CVE-2025-25257 and rated 9.6 on the CVSS scale. The issue originates from improper input validation in the Fabric Connector component, allowing unsanitized data to reach backend SQL queries through the GUI interface used to link with other Fortinet services.
Security researcher Kentaro Kawane (GMO Cybersecurity) identified that FortiWeb could be exploited by unauthenticated users who send tailored HTTP or HTTPS requests designed to manipulate SQL queries executed on the backend. The vulnerability resides in the get_fabric_user_by_token function, which is invoked by fabric_access_check, a common handler for multiple API routes, including:
/api/fabric/device/status
/api/v[0-9]/fabric/widget/[a-z]+
/api/v[0-9]/fabric/widget
In affected builds, Bearer tokens from incoming requests are embedded directly into SQL statements without adequate sanitization, allowing arbitrary query execution. According to watchTowr Labs, the use of raw format strings in SQL queries, rather than prepared statements, makes exploitation possible.
In certain cases, the issue could be escalated to remote code execution. Attackers might embed a SELECT … INTO OUTFILE statement to write a malicious script onto the system, exploiting the fact that the database queries execute under the mysql user. Once written, that payload could then be launched using Python or a similar scripting tool available on the host.
While no active exploitation or public proof-of-concept has been seen yet, Fortinet urges immediate patching due to the high risk and historical targeting of its infrastructure.
Although Arctic Wolf hasn’t observed exploitation in the wild or public PoCs yet, Fortinet products are historically high-value targets, as seen with CVE-2024-55591 targeting FortiGate interfaces.
Impacted Versions:
FortiWeb 7.6.0–7.6.3 → Patch to 7.6.4+
FortiWeb 7.4.0–7.4.7 → Patch to 7.4.8+
FortiWeb 7.2.0–7.2.10 → Patch to 7.2.11+
FortiWeb 7.0.0–7.0.10 → Patch to 7.0.11+
Mitigation: If immediate patching isn’t possible, it is advised to turn off the web-based administrative access via HTTP and HTTPS. Fortinet now uses parameterized queries in patched builds to neutralize injection risks. Prompt patching is strongly advised to prevent potential weaponization.
